Broker Check
JANUARY SAVVY CYBERSECURITY NOTES

JANUARY SAVVY CYBERSECURITY NOTES

January 25, 2018

In this issue:

  • 3 cybersecurity predictions for 2018
  • Emerging threats: New scams to look for
  • Cybersecurity shorts: Cybersecurity legislation, an UberEATS hack, Android malware, and much more
  • Software updates

3 Cybersecurity Predictions for 2018

The end of the year gives us time to reflect on the past 12 months. In the cybersecurity world, there's a lot to reflect on. Several record-breaking breaches hit us in 2017—3 billion accounts exposed via Yahoo, 143 million Americans hacked through Equifax, a $100,000 payout at Uber to cover a breach affecting over 50 million.

According to the Identity Theft Resource Center, there were over 1,250 breaches in 2017—nearly 200 more than 2016 and 300 more than in 2015. It's safe to say that cyberattacks will continue to grow in 2018.

But what exactly will cybersecurity look like in 2018? Here are some predictions we've been reading about.

  1. Start saying goodbye to passwords

The sheer number of data breaches exposing usernames and passwords has highlighted the dangers in depending on this insecure login method. More often than not, users repeat passwords on multiple sites despite being aware of the dangers. Once one site is hacked, those repeated credentials can be used to hack into other sites.

For that reason, many sites are looking into password alternatives. Some companies already offer alternatives such as one-time passwords. In these instances, instead of entering a password you are sent a code via text message or authenticator app once you enter your username. It's similar to two-factor authentication, but you never have to enter the weak password.

There are other alternatives such as social login. This is where you can sign into other accounts using your established Facebook or Google account. We expect to see an increase in these new alternatives in 2018.

  1. More dangers surrounding Internet of Things (IoT) devices

The year 2017 brought us new connected gadgets to make our lives easier but unfortunately, they did not come with better security. For years, security experts have warned that many of these devices are insecure.

In some cases, these devices have been  hacked to form a botnet—an army of infected devices that can shut down servers and websites.

We've also heard of IoT devices that can spy on users. Earlier this year, a story broke that the robotic vacuum Roomba may start mapping users' houses and collecting data.

As you purchase new connected-devices next year, we urge you to think about their security and privacy implications.

  1. New data breach laws

On a positive note, 2018 could bring more regulations about how companies handle our data. The European Union passed the General Data Protection Regulation (GDPR) in 2017, which lays down strict rules on how customer data is protected by any company doing business in the EU. The compliance deadline is May 25th, 2018, but many companies are not on track to meet the deadline. Many believe that the EU will make an example of U.S. companies that do not meet the new regulations.

Over in the U.S., three senators have introduced legislation that would force companies to notify customers of a data breach within 30 days. Currently, nearly every state has its own data breach notification law, but a national standard would ensure all consumers are protected equally.

Looking forward

Each year brings us new cybersecurity threats to defend against—but also brings new ways to fight back. We must all stay vigilant with our cybersecurity plans and adapt when it's indicated. We’re looking forward to this new year of cybersecurity vigilance and will continue to keep you updated with the latest news.

We wish you all a very happy 2018!

Emerging Threats

Secret admirer or scam? Think twice if you get a delivery of wine and flowers, says law enforcement. The new scam tricks victims into thinking they have a delivery and requires the recipient pay $3.50 to verify the delivery, as it contains a bottle of wine. The delivery man demands a credit card instead of cash and asks for the victim's PIN. The credit card information is then used fraudulently.

Be on the lookout for new PayPal phishing scam. Consumers have reported a new phishing campaign making the rounds that appears to be from PayPal's customer service. The email asks the recipient to verify a recent transaction. Clicking brings the reader to a fake PayPal page that asks for personal information such as name, credit card number, and date of birth. The phishers used security certificates to make the webpage look legitimate. If you receive an email from PayPal like this, delete it and visit the PayPal website directly to check your account.

Cybersecurity Shorts

Massive Uber breach also affects UberEATS customers. Last month, news broke of a breach at Uber that impacted nearly 60 million users and drivers. Uber reportedly tried to cover up the breach by paying the hackers $100,000. Now, both users of the ride-sharing app and the food delivery service are reporting unauthorized charges to the credit cards linked to those accounts. One individual reports being charged over $100 from two UberEATS orders in Russia. If you use Uber for rides or delivery, be sure to watch your account closely for any suspicious charges.

Disposable credit cards could end online credit card fraud. Various start-up companies are working on developing virtual disposable credit cards that could put an end to the $16 billion credit card fraud problem. The idea is that users would be able to generate "virtual cards" that are tied to their bank account. These virtual cards have their own number, security code, and expiration date. The cards could be used once or up to a certain dollar amount that is predetermined. Consumers would generate a virtual card for online purchases and once it is used (or the dollar amount was reached), it could no longer be used, thus thwarting many fraud attempts. 

National data breach notification bill introduced in the Senate.This piece of legislation (introduced by three Democratic senators) would require organizations to notify customers of any data breach within 30 days of discovery. The penalty for not following this law would be a five-year prison sentence. The bill also asks the Federal Trade Commission to create security standards for customer information protection and storage.

Phishers are improving their strategies—be aware. A new report from PhishLabs found that phishing websites are improving and appearing to be more legitimate to consumers. For example, about one-quarter of all phishing sites surveyed in the third quarter were hosted on HTTPS domains—nearly twice as many as in the second quarter. (HTTPS is what gives websites that green lock in the URL bar.) Luckily, the same anti-phishing actions still work. Be sure to inspect any links closely by hovering your mouse over hyperlinked text or buttons. When in doubt, contact the company directly and inquire about the message.

Nearly 500 HP laptop models have a pre-installed keylogger that can record everything you type. A security researcher discovered the flaw present in many HP laptop models that could allow hackers to spy on everything you type—including passwords. The good news is that the vulnerability is turned off by default and a hacker would need physical access to your device to enable it. Still, you should update your software to get rid of the bug. You can see a list of affected models here

New Android malware has capability to destroy phone, infect your contacts, and collapse serversaccording to a discovery by Kaspersky Lab. The malware, called Loapi, is hidden in malicious apps available outside of the Google app store. The malicious apps are shared with users through advertisements. One infected phone overheated so much that it expanded and broke.

Small businesses are constantly targeted by hackers and scammers. One data breach can cripple a small business so it's imperative that business owners take action when it comes to cybersecurity. Take a look at this list of resources provided by Small Business Trends if you are a small business owner.

Software Updates

Adobe: Adobe released yet another update for Adobe Flash Player this month. If you still need Flash on your device, be sure you are running version 28.0.0.126. Also be sure to update any browsers that support Flash. You can download the update here.

Microsoft: Microsoft released over 30 updates for Windows, Microsoft Edge, Office, Exchange, and Microsoft Defender/Security Essentials. The flaw in Microsoft Defender/Security Essentials is considered critical but the program regularly updates itself. Your device should prompt you to update automatically.